Posts Tagged ‘Retail POS Data Breach’

The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen.

It’s hard to remember a time when reports of data breaches, ransomware attacks and business email compromises (BEC) weren’t part of our daily lives. In fact, not so long ago we were pretty content to believe that the controls companies had in place were enough to protect us from the invisible threat of hackers and cyber criminals. But that was just a dream – and it wasn’t long before that dream manifested into a nightmarish scenario for one of the nation’s largest retailers.

Two years ago, cyber criminals gained access to the point-of-sale systems belonging to Target. Authorities later learned that the hacker(s) gained access to about 11 GB worth of data (including highly-sensitive personal and credit card information). When the dust settled, about 70 million consumers nationwide were left vulnerable to identity theft and credit card fraud. This magnitude of this breach was huge and, as a result, companies everywhere made an effort to buckle down and implement a slew of “best practices.” But what has really changed since December 2013?

What Have We Learned From Target?

The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen. But instead of becoming more vigilant about data security practices, it appears as though consumers have chosen a more desensitized reaction. These days we are content with trusting the credit card companies to notify us of any suspicious activity occurring on our account rather than implementing safer payment practices in our daily lives.

Retailers and credit card companies, on the other hand, have worked hard to make it more difficult for hackers to access their customer data. Since the breach, Target has:

Installed EMV compliant point-of-sale (POS) terminals in all stores to allow for transactions to be processed using a token instead of actual credit card numbers.

Joined two cybersecurity threat-sharing organizations in order to share and retrieve valuable information concerning data breaches and the source of those breaches.

Implemented more stringent firewall rules and governance procedures.

Constantly monitors and logs system activity.

Applied whitelisting technology, an administrative process that allows only preapproved applications to execute in a system, on the store’s POS systems.

Disabled or placed limited access on vendor accounts.

Deployed 2-factor authentication.

Established password vaults and required the use of more complex passwords.

Thoroughly reviewed and revised its process on how to determine which employees and contractors would have access to consumer data.

With the exception of the first two points, the measures Target has taken since its 2013 data breach are considered best practices, which means that if your business doesn’t have these security measures in place, you shouldn’t wait any longer. And, with regard to EMV technology, most businesses were expected to install and activate the new technology before Oct. 1, 2015 to avoid liability for losses resulting from fraudulent transactions.

A Moving Target

As long as there are fraudsters willing to pay for stolen names, addresses, credit card numbers and expiration dates, phone numbers, email addresses, dates of birth, Social Security numbers, etc., there will be cyber criminals looking for a way to hack into your company’s system to gain access to your consumer data or intellectual property. But if you are really serious about keeping your data safe, there are additional measures you can take.

1. Reinforce Your Firewall

Firewalls should be securely configured and continuously monitored. There are many providers that perform 24-7 firewall monitoring services to protect your company from attacks and or to alert you to signs of a possible breach. Moreover, providers are also coupling these services with the use of whitelists or blacklists, which triggers an immediate response if a potential threat is identified. Another great reinforcement for companies with experienced IT staff, would be the implementation of SIEM (Security Information and Event Management) or IDS (Intrusion Detection System) software.

2. Take Your VIP List Seriously

Not everybody should have access to your company’s domain – especially outside groups, and you should take care to review your employee and vendor access accounts routinely. The 2013 Target breach was a result of a breach that was intended for one of Target’s vendors. But, once in, the hacker was able to work his way into the Target Vendor Portal and infiltrate the Target POS systems.

3. Don’t Take Your Passwords For Granted

While doing so, be sure to verify that these credentials, in particular, require complex passwords, a limit on the number of attempts allowed before automatically disabling the account, and that they are required to be changed regularly. (Believe it or not, the most common password continues to be “123456” – proving that we are still not learning from past mistakes.)

POS malware, known as Backoff, was identified last week as having targeted a New Orleans restaurant, a much smaller retailer than UPS. On July 31, several government agencies sent out an alert about Backoff. The alert explained the risks that Backoff posed to U.S. businesses, including smaller merchants, and that this new form of malware was found to infect POS systems via access to a remote-access portal.

While these recent incidents may not affect you or your business directly, the discovery of this new form of malware should cause you to stop and assess your business’s IT security situation. Do you have the right security protocols in place to protect your business – and your customers – from a potential data breach?

How To Protect Your Business From A Data Breach

Your mind may be far from thinking about your business’s IT environment. You’re probably focused more on the day-to-day operations of your business and serving your customers. But think of protecting your business’s IT environment as one way of serving your customers. By protecting your IT systems, you are helping ensure that your customers’ personal and financial data is safe. Here are some ways you can protect your business’s IT environment:

Use End Point Protection monitoring to verify that all workstations are current on their virus definition files and OS patches.

Make sure all servers are patched with the most current operating system security patches.

Employ a vendor to complete penetration testing to find any open avenues to your network.

Consider implementing Intrusion Detection Systems (IDS) or Security Information & Event Management (SIEM) applications. Many companies utilize IDS/SIEM to monitor their incoming and outgoing network traffic. If the expense is too great or you don’t have qualified personnel, then consider a vendor to provide the service. Many vendors provide these services at a very reasonable price.

The Cost of Protecting Your Customers

What cost is too much to protect my customers’ data? Only you can answer this question. UPS and the restaurant have chosen to pay for identity theft and credit monitoring services for customers who may have been affected from their data breaches (a data breach-related expense many companies don’t consider). But take that one step further. What cost is too much to protect my business’s reputation? In order for your company to survive in today’s digital world, it’s critical for your business to cultivate a culture of trust with your customers. Many businesses find that they’ll do what it takes to prevent security breaches. What will you do?